3 files changed, 70 insertions, 7 deletions

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 7ace05eb4..4b85bc93c 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -122,6 +122,7 @@ from ipalib import api, crud, errors
 from ipalib import Object, Command
 from ipalib import Flag, Int, Str, StrEnum
 from ipalib.aci import ACI
+from ipalib.dn import DN
 from ipalib import output
 from ipalib import _, ngettext
 if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -312,8 +313,10 @@ def _aci_to_kw(ldap, a, test=False):
         kw['attrs'] = tuple(kw['attrs'])
     if 'targetfilter' in a.target:
         target = a.target['targetfilter']['expression']
-        if target.startswith('(memberOf') or target.startswith('memberOf'):
-            kw['memberof'] = unicode(target)
+        if target.startswith('(memberOf=') or target.startswith('memberOf='):
+            (junk, memberof) = target.split('memberOf=', 1)
+            memberof = DN(memberof)
+            kw['memberof'] = memberof['cn']
         else:
             kw['filter'] = unicode(target)
     if 'target' in a.target:
@@ -332,8 +335,8 @@ def _aci_to_kw(ldap, a, test=False):
                 # targetgroup attr, otherwise we consider it a subtree
                 if api.env.container_group in target:
                     targetdn = unicode(target.replace('ldap:///',''))
-                    (dn, entry_attrs) = ldap.get_entry(targetdn, ['cn'])
-                    kw['targetgroup'] = entry_attrs['cn'][0]
+                    target = DN(targetdn)
+                    kw['targetgroup'] = target['cn']
                 else:
                     kw['subtree'] = unicode(target)
 
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index c48979f9d..e4d11f0d8 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -98,7 +98,7 @@ class permission(LDAPObject):
         'memberindirect', 'ipapermissiontype',
     ]
     aci_attributes = ['group', 'permissions', 'attrs', 'type',
-        'filter', 'subtree', 'targetgroup',
+        'filter', 'subtree', 'targetgroup', 'memberof',
     ]
     attribute_members = {
         'member': ['privilege'],
@@ -338,7 +338,7 @@ class permission_mod(LDAPUpdate):
 
         result = self.api.Command.permission_show(cn, **options)['result']
         for r in result:
-            if not r.startswith('member'):
+            if not r.startswith('member_'):
                 entry_attrs[r] = result[r]
         return dn
 
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index a116a66ea..b0df80094 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -290,7 +290,7 @@ class test_permission(Declarative):
         dict(
             desc='Update %r' % permission1,
             command=(
-                'permission_mod', [permission1], dict(permissions=u'read')
+                'permission_mod', [permission1], dict(permissions=u'read', memberof=u'ipausers')
             ),
             expected=dict(
                 value=permission1,
@@ -301,6 +301,7 @@ class test_permission(Declarative):
                     member_privilege=[privilege1],
                     type=u'user',
                     permissions=[u'read'],
+                    memberof=u'ipausers',
                 ),
             ),
         ),
@@ -318,6 +319,7 @@ class test_permission(Declarative):
                     'member_privilege': [privilege1],
                     'type': u'user',
                     'permissions': [u'read'],
+                    'memberof': u'ipausers',
                 },
             ),
         ),
@@ -347,6 +349,7 @@ class test_permission(Declarative):
                     'member_privilege': [privilege1],
                     'type': u'user',
                     'permissions': [u'read'],
+                    'memberof': u'ipausers',
                 },
             ),
         ),
@@ -368,6 +371,7 @@ class test_permission(Declarative):
                     'member_privilege': [privilege1],
                     'type': u'user',
                     'permissions': [u'all'],
+                    'memberof': u'ipausers',
                 },
             ),
         ),
@@ -438,4 +442,60 @@ class test_permission(Declarative):
             )
         ),
 
+
+        dict(
+            desc='Create memberof permission %r' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                     memberof=u'editors',
+                     permissions=u'write',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    memberof=u'editors',
+                    permissions=[u'write'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Delete %r' % permission1,
+            command=('permission_del', [permission1], {}),
+            expected=dict(
+                result=dict(failed=u''),
+                value=permission1,
+                summary=u'Deleted permission "%s"' % permission1,
+            )
+        ),
+
+
+        dict(
+            desc='Create targetgroup permission %r' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                     targetgroup=u'editors',
+                     permissions=u'write',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    targetgroup=u'editors',
+                    permissions=[u'write'],
+                ),
+            ),
+        ),
+
+
     ]